How Can Law Firms Manage Client CTA Data?

Many law firm leaders must be wondering how they will manage CTA data on behalf of their clients and their clients' investors.

Law firms have become increasingly sensitive to the exposure they have to data breaches involving the data they store for their clients.  Law firms house mountains of documents for their clients, including contracts, business plans, the personally-identifiable information (PII) of investors and executives, and schedules of key facts that apply to company contracts.  Because these documents contain so much valuable data, hackers and other perpetrators have begun to target law firms for data breaches.

CTA Data

The Corporate Transparency Act (CTA) was adopted by Congress in December 2020.  It obligates most companies in the U.S. to file a beneficial ownership report with FinCEN. FinCEN is the financial crimes enforcement network of the U.S. Treasury Department.

Each beneficial ownership report must identify the company applicant who formed the company and each beneficial owner. For each individual, the report must provide the person's full legal name, data of birth, home address and a unique identifying number. The report must also provide an image of the document that provides the unique identifying number. Acceptable documents and numbers include an unexpired passport or drivers license. Because personally-identifiable information (PII) is sensitive, many companies will face an immense challenge to collect, store and compile this data.

Law firms face an even-greater challenge when they try to assist their clients in collecting, storing and compiling CTA data in anticipation of filing a beneficial ownership report.

Law Firm Document Management Systems Are Not Secure

Nearly every large law firm has a document management system.  Nearly all of these systems organize documents by criteria like client number, document name, author, and so on.  Because law firms what their lawyers to collaborate and produce work product efficiently, law firm document management systems generally allow all of the firm's lawyers, paralegals and staff to search, open and read every document in the system.

This openness is precisely the reason why a standard document management system is a poor tool to use when collecting, storing and collaborating CTA data.

Storing CTA data in an open access document management system simply increase the law firm's vulnerability to security breaches.  

The CTA Requires Collaboration in New Ways

The CTA requires companies, their investors, managers and lawyers to collaborate in new ways.

Previously, if a company raised funds from investors, the company's lawyers would prepare the investment documents.  Investors would sign the documents and would fund their investments. Management would then spend the funds raised in building the business.  Investors who did not sit on the company's board would have little input to the company's management.  The company's management would have little to ask of the investors.  The two groups rarely spoke, apart from occasional management reports to investors.

The CTA changes that dynamic.

Because the CTA obligates companies to file beneficial ownership reports with FinCEN, companies must now obligate their investor to provide accurate PII to the company to populate those reports.  In addition, the CTA requires companies to file an amendment whenever any item of reported information changes.  As a result, the company's management must have the means to require investors to provide immediate notice of any change in an investor's PII that was covered by a prior report.

If the company uses its law firm to play a gating role in collecting, storing and compiling PII for CTA purposes, the law firm will require a new form of data management system to collect, store and manage the PII it collects from its clients' investors and managers.  Simply filing PII into a central document management system won't cut it. 

Law firms will need a tool that allows their clients (and their clients' investors and managers) to submit their PII so that it can be included in the beneficial ownership report, but also held separate from view from persons not authorized to view it.  

Time is running short.  Companies will need to file their first reports within one year after FinCEN adopts its implementing regulations.  FinCEN released draft regulations in late 2021 but has not yet announced when those regulations will take effect.  Such an announcement could come at any time.  Companies formed after the effective date of those regulations will need to file their initial beneficial ownership report within 14 days after formation.  

FinCEN's announcement that its regulations are going effective will trigger a wave of client inquiries and law firm meltdowns for those who are unprepared.  Law firms should begin to prepare now in order to withstand the coming tidal wave.